Date: 4 June 2024
Transparent and smooth communications during a digital disruption are critical to business continuity, maintaining customer confidence and securing the reputation of the business. Given the rise in disruptions from cyber attacks, the EU Digital Operational Resilience Act that comes into effect next year, has placed significant emphasis on Crisis Communications.
DORA requires all financial institutions in the EU to implement an ICT (Information & Communications Technology) Risk Management Framework. The financial entities that DORA applies to include banks, investment firms and credit institutions as well as non-traditional finance entities such as crypto-asset service providers and crowdfunding platforms. As part of the Risk Management Framework, all financial entities are expected to have a clear communication strategy in the event of an ICT-related event (Article 6 of the Act).
In this article, we look at what the EU DORA mandate for this communication strategy is and how you can achieve compliance with the same. For a full understanding of what DORA is and what its core tenets are, do read our article on the 5 pillars of EU DORA.
Topics Covered:1. What does the EU DORA say about Crisis Communications?
2.How to achieve compliance with DORA requirements?
The EU DORA on Crisis Communications: A Summary
Chapter II of the DORA regulation focuses on ICT (Information and Communications Technology) Risk Management. Article 14 of this Chapter is specifically devoted to Crisis Communications.
Here’s a quick summary of the expectations that Article 14 outlines:
- The financial entities under the ambit of DORA must have a crisis communication plan in place.
- The plan should enable “responsible disclosure” of ICT related risks and vulnerabilities to all relevant stakeholders and the public as well.
- Financial entities must have a Communications Policy for internal staff and external stakeholders. The policy should take into account the differing needs of staff involved in ICT Risk Management and those who aren’t directly involved but need to stay informed.
- At least one person should be designated to communicate with the public and the media on ICT-related incidents.
Article 11 of this Chapter, entitled ‘Response and Recovery’ also covers critical points about the Cyber Crisis Communications strategy and what it must encompass.
Here’s a brief and easy-to-read summary of what Article 11 says with regards to Crisis Communications:
- The business continuity policy must have pre-defined communication and crisis management actions for transmitting updated information on any incident to all stakeholders and relevant authorities.
- All financial entities, except micro-enterprises, are expected to have a well-established Crisis Management function.
- In the event of activation of the Incident Response Plan, there should be clear procedures for internal and external crisis communications.
- The Crisis Communications Plan must be tested regularly.
How to Achieve Compliance with DORA’s Crisis Communications mandate?
Now that you know what the expectations of the Digital Operational Resilience Act are with respect to Crisis Communications, it’s easier to understand how to plan and strategize for it.
#1. Evaluate your Current Crisis Management Capabilities: The natural first step is to see where you stand currently. Do you have a plan in place to communicate effectively in a crisis? Will you be able to handle the narrative when media, customers and partners are hounding you for answers? Does your organisation have a well-defined Public Relations strategy for a cyber crisis or digital disruption? And do you know who will manage the communications piece when confronted with a cyber attack?
These are just some of the questions your organisation needs answers to. Investing in a professional evaluation of your overall cyber resilience, including communications capabilities, is the ideal way to approach DORA compliance.
Cyber Management Alliance’s Virtual Cyber Consultant service is perfect if you’re looking for a cost-effective, flexible yet highly result-oriented solution. Our deeply experienced cybersecurity practitioners conduct a thorough assessment of our existing digital operational resilience and give recommendations for improvement that are tailored specifically to your goals.
They can also help you implement a Risk Management Framework and a Cybersecurity Framework, accelerating the pace at which you’re able to achieve compliance with DORA.
#2. Work on your ICT Incident Response Plan: DORA has placed renewed emphasis on a strong Cyber Incident Response Plan, Business Continuity Plan and Response and Recovery Playbooks.
Your Crisis Communications plan is also meant to be a part of the Response and Recovery plan of your organisation. This plan must contain:
- Pre-defined messaging templates in case of a cyber disruption.
- Established channels and protocols of communication
- Designated persons in-charge of managing crisis communications with the media, internal and external stakeholders and competent regulatory authorities.
Make sure you have a robust Cyber Incident Response Plan that not only helps you salvage the situation in case of a cybersecurity incident. It should also contain an in-built Crisis Communications plan covering all the above requirements.
You can use our FREE Cyber Incident Response Plan template and customise it to fit your organisational context. Our NCSC Assured Training in Cyber Incident Planning and Response goes deep into the nuances of proper Incident Management, Reporting and Planning. Crisis Communications is a core component of this training.
#3. Test your Cyber Crisis Communications Plan: As discussed earlier, Article 11 of Chapter II clearly calls for testing your Communications Strategy and Plans. The only effective way to do this is through Digital Operational Resilience Testing via Cyber Tabletop Exercises.
Through these scenario-based simulated exercises, you can evaluate how capable your organisation would be of managing and communicating seamlessly in a crisis. These cyber drills also show how well-versed the person in charge of communications is with the communication protocols, templates and actions.
These exercises are particularly useful for the senior leadership and the executive team who are most likely to communicate with customers, partners, the Board and regulatory authorities in case of a crisis. We have especially curated Cyber Tabletop Exercises for Executives that are brief and to-the-point, keeping in mind the busy schedules of senior management. However, the operational resilience tests for communication plans must also see participation from other important departments such as HR, legal and of course, PR.
